Forum Discussion

groock's avatar
groock
Copper Contributor
May 08, 2024

Enhanced Security Mode not active when two different proxy pac files are used

Edge (Version 124.0.2478.80) enhanced security mode seems not to be active if you have different pac files in "Internet Settings" and Edge "ProxySettings" defined.

 

We configured Windows 11 to use a proxy pac file only for intranet applications.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
AutoConfigURL -> "https://server/intranet.pac"

 

Additionally we configured Edge to use a proxy pac file which allows internet access.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge
ProxySettings -> {"ProxyMode": "pac_script","ProxyPacMandatory": true,"ProxyPacUrl": "https://server/internet.pac"}

 

We want to allow internet surfing only in Edge with enhanced security mode active. All other applications are only allowed to access intranet urls.

 

In generally the setup is working, but I am not sure if enhanced security mode is active.

The UI indicator for enhanced security mode is only seen, if there is only one proxy setting definend.

If I delete the ProxySettings value the indicator is available. If I do it the other way around, delete AutoConfigUrl within "Internet Settings" key and keep ProxySettings - the UI indicator is also visible.

 

With both values specified the indicator is not visible.

How to check if ESM ist turned on without the UI indicator?

 

Is it a bug or a feature that the UI indicator is in that case not available?

 

 

 

4 Replies

  • Kelly_Y's avatar
    Kelly_Y
    Icon for Microsoft rankMicrosoft
    May 08, 2024

    groock Hi - Thanks for reaching out!  I've asked the team to take a look at this and will follow up with any insights from them or if they have any questions.  

     

    -Kelly

    • Kelly_Y's avatar
      Kelly_Y
      Icon for Microsoft rankMicrosoft
      Jul 08, 2024

      groock Hey!  Following up with some questions from the team :smile:

       

      You mentioned the "UI indicator" for enhanced security mode, is this referring to the PageInfo flyout or something else?  Would you be able to provide a screenshot? 

       

      Also, which specific URL you are trying to visit? And are you using strict or balanced mode?  Our developer mentioned that it's possible that in balanced mode, the site is getting enough engagement when you are trying with both proxies.  

       

      Additionally, can you visit the 'Enhanced Security Mode' tab from edge://security-diagnostics and provide the additional diagnostics details?  If there is PII, please do not post it here, you can send me a message directly if necessary.  Thanks! 

       

      -Kelly

      • groock's avatar
        groock
        Copper Contributor
        Jul 10, 2024
        Hey Kelly,

        the problem has been solved by Microsoft support. I opened a support case and we figured out the root cause for this isssue.

        In the internet settings (inet.cpl) there was a setting enabled "Include all sites that bypass the proxy server" -> Security - > Local Intranet -> Sites.
        When the user opened an internet address e.g. http://www.bing.com -> the site was not part of die intranet.pac file - so it bypassed the proxy server and the site was marked as zone local intranet. The enhanced security mode is not active in zone local intranet.
        We configured the setting "Include all sites that bypass the proxy server" to disabled and enhanced security mode is working for us.
        So the UI indicator is available and visible while browsing.

        Thank you.


Resources